Healthcare Associations Request Safe Harbor for Entities That Have Followed Cybersecurity Best Practices

The College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Security (AEHIS), the Association for Executives in Healthcare Information Technology (AEHIT), the American Hospital Association (AHA) and the American Medical Association (AMA) have requested that healthcare organizations should be offered a safe harbor if they have adopted industry best practices for securing healthcare data, yet still suffer a data breach. Those organizations, it has been suggested, should be exempt from financial penalties from OCR and state attorneys general.

The requests were made along with other suggestions for possible changes to HIPAA following the Department of Health and Human Services’ request for information (RFI) in December 2018. the HHS asked for comments from healthcare providers and other industry stakeholders on ways that HIPAA could be updated to ease the administrative burden on HIPAA-covered entities and ways current regulations could be changed to promote data sharing for coordinating patient care. In total, the HHS received more than 1,300 comments on potential changes before the February 12, 2019 cut off date for comment.

Healthcare organizations could implement cybersecurity frameworks, give employees security awareness training, adopt cybersecurity best practices, and invest heavily in cybersecurity solutions, but still end up suffering a data breach. It’s been contended that entities that have made reasonable attempts to protect patient information should not be the subject of financial penalties.

CHIME proposed that OCR ought to provide a safe harbor for healthcare providers who have shown themselves to follow a set of guidelines like those detailed int the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).

The AHA proposed giving support and resources to healthcare organizations that experience cyberattacks, instead of penalizing the breached entity. Enforcement work ought to be centered on investigating attackers and prosecuting them rather than the victims of data breaches. The AHA stated that in the event of an attack, an investigation is required to figure out how systems and data access were obtained. Lessons can be learned, safety measures can be enhanced, and information about vulnerabilities and threats should then be shared with other healthcare organizations so they can use the information to protect their networks and data. The AHA recommends a safe harbor for HIPAA covered entities with proven compliance with cybersecurity best practices, such as those enacted by HHS.

The AMA recommends that OCR modify the HIPAA Security Rule to state that when covered entities choose and employ a security framework like the NIST Cybersecurity Framework or applyHealth Industry Cybersecurity Practices, they should be considered to be compliant with the Security Rule.

The AMA likewise recommends that OCR ought to alter its approach to protecting health data. Instead of issuing penalties for violations, OCR should provide positive incentives to encourage healthcare providers to enhance their security to better protect health data.

CHIME mentioned that the present policy that requires the reporting of breaches and listing them on the OCR breach portal is unduly punitive and that there ought to be a system for delisting breaches as soon as the covered entity has done what is necessary to fix vulnerabilities that resulted in a breach.

The HHS is currently reviewing all comments and responses acquired with regards to its RFI and will make a decision about aspects of HIPAA that will be changed. No timescale for any HIPAA changes has been provided.